Mozilla Foundation Security Advisory 2011-55

nsSVGValue out-of-bounds access

Announced

December 20, 2011

Reporter

regenrecht via TippingPoint's ZDI

Impact

Critical

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 3.6.28

Firefox 9

SeaMonkey 2.6

Thunderbird 9

Description

Security researcher regenrecht reported via
TippingPoint's Zero Day Initiative that a flaw in the Mozilla SVG
implementation could result in an out-of-bounds memory access if
SVG elements were removed during a DOMAttrModified event handler.

This vulnerability does not affect products prior to Firefox 8
and SeaMonkey 2.5. Thunderbird 8 users would be vulnerable only if
using a browser-like feature that allowed scripts to run; users
are not at risk while reading mail.